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Status of this Memo 


This document specifies an Internet standards track protocol for the 
Internet community, and requests discussion and suggestions for 


improvements. Please refer to the current edition of the "Internet 

Official Protocol Standards" (STD 1) for the standardization state 

and status of this protocol. Distribution of this memo is unlimited. 
Abstract 


This document describes the use of keyed MD5 with the IP 
Authentication Header. 
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Introduction 


The Authentication Header (AH) [RFC-1826] provides integrity and 
authentication for IP datagrams. This specification describes the AH 
use of keys with Message Digest 5 (MD5) [RFC-1321]. 


All implementations that claim conformance or compliance with the 
Authentication Header specification MUST implement this keyed MD5 
mechanism. 


This document assumes that the reader is familiar with the related 
document "Security Architecture for the Internet Protocol" [RFC- 
1825], which defines the overall security plan for IP, and provides 
important background for this specification. 


1. Keys 


The secret authentication key shared between the communicating 
parties SHOULD be a cryptographically strong random number, not a 
guessable string of any sort. 


The shared key is not constrained by this transform to any particular 
size. Lengths of up to 128 bits MUST be supported by the 
implementation, although any particular key may be shorter. Longer 
keys are encouraged. 


-2. Data Size 


MD5’s 128-bit output is naturally 64-bit aligned. Typically, there 
is no further padding of the Authentication Data field. 


3. Performance 


MD5 software speeds are adequate for commonly deployed LAN and WAN 
links, but reportedly are too slow for newer link technologies [RFC- 
1810]. 


Nota Bene: 
Suggestions are sought on alternative authentication algorithms 
that have significantly faster throughput, are not patent- 
encumbered, and still retain adequate cryptographic strength. 
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2. Calculation 
The 128-bit digest is calculated as described in [RFC-1321]. The 
specification of MD5 includes a portable ’C’ programming language 
description of the MD5 algorithm. 
The form of the authenticated message is 
key, keyfill, datagram, key, MD5fill 
First, the variable length secret authentication key is filled to the 


next 512-bit boundary, using the same pad with length technique 
defined for MD5. 


Then, the filled key is concatenated with (immediately followed by) 
the invariant fields of the entire IP datagram (variant fields are 
zeroed), concatenated with (immediately followed by) the original 
variable length key again. 


A trailing pad with length to the next 512-bit boundary for the 
entire message is added by MD5 itself. The 128-bit MD5 digest is 
calculated, and the result is inserted into the Authentication Data 
field. 


Discussion: 
When the implementation adds the keys and padding in place before 
and after the IP datagram, care must be taken that the keys and/or 
padding are not sent over the link by the link driver. 


Security Considerations 


Users need to understand that the quality of the security provided by 
this specification depends completely on the strength of the MD5 hash 
function, the correctness of that algorithm’s implementation, the 
security of the key management mechanism and its implementation, the 
strength of the key [CN94], and upon the correctness of the 
implementations in all of the participating nodes. 


At the time of writing of this document, it is known to be possible 
to produce collisions in the compression function of MD5 [dBB93]. 
There is not yet a known method to exploit these collisions to attack 
MD5 in practice, but this fact is disturbing to some authors 
[Schneier94]. 


It has also recently been determined [vOW94] that it is possible to 
build a machine for $10 Million that could find two chosen text 
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variants with a common MD5 hash value. However, it is unclear 
whether this attack is applicable to a keyed MD5 transform. 


This attack requires approximately 24 days. The same form of attack 
is useful on any iterated n-bit hash function, and the time is 
entirely due to the 128-bit length of the MD5 hash. 


Although there is no substantial weakness for most IP security 
applications, it should be recognized that current technology is 
catching up to the 128-bit hash length used by MD5. Applications 
requiring extremely high levels of security may wish to move in the 
near future to algorithms with longer hash lengths. 
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